ICO publishes advice on compliance with cookie law change
The Information Commissioner’s Office has issued advice on how businesses and organisations in the UK can comply with a new EU law on the use of cookies.
The move comes a couple of months after the Information Commissioner, Christopher Graham, urged the public sector and other organisations to “wake up to the fact that this is happening”.
The change in the law will come into force on 26 May 2011, following an amendment to the Privacy and Electronic Communications Directive.
It requires businesses and organisations running websites in the UK to get informed consent from visitors to their websites in order to store and retrieve information on users’ computers. This is often done by use of a cookie.
The ICO’s advice follows the publication of UK regulations by the Department for Culture, Media and Sport. In it the watchdog suggests organisations should:
- Check what type of cookies and similar technologies they use and how they use them
- Assess how intrusive their use of cookies is
- Decide what solution to obtain consent will be best in their circumstances.
The ICO said it was advising organisations that they are not able to rely on a user’s browser settings to get user consent, and that for now they have to gain consent in some other way.
“What is appropriate for you will depend on what you are doing,” the advice said. “You need to provide information about cookies and obtain consent before a cookie is set for the first time. Provided you get consent at that point you do not need to do so again for the same person each time you use the same cookie (for the same purpose) in future.”
The advice covers a range of issues including the use of pop-ups and similar techniques, terms and conditions, settings-led consent, feature-led consent, functional uses and third party cookies.
The watchdog said that changing terms of use for a website to include consent for cookies would not be good enough even if the user had previous consented to the overarching terms.
The Information Commissioner, Christopher Graham, said: “The advice we’ve issued today should help businesses and organisations to get on the road to compliance in a way that causes them – as well as UK consumers – minimal disruption.
“The implementation of this new legislation is challenging and involves significant technological considerations. That’s why we’ve already consulted a wide range of stakeholders. But we want to spread the net as wide as we can and would welcome further comments from others who have practical examples to share.”
The Information Commissioner acknowledged that the advice was “very much a work in progress and doesn’t yet provide all of the answers”.
“We’re responsible for regulating the new law and will undoubtedly start to receive complaints about companies who are using cookies without consent,” Graham added. “We’d urge all UK businesses and organisations to read our advice and start working out how they will meet the requirements of this new law.”
The ICO plans to publish advice for consumers as well as information on how it will approach enforcement shortly.
The DCMS changes to the Privacy and Electronic Communications Regulations also hand other new powers to the ICO, including the power to serve monetary penalties of up to £500,000 to organisations that make unwanted marketing phone calls.
The advice can be downloaded here.